A framework for designing vulnerability metrics

Abstract

Vulnerability analysis has long been used to evaluate the security posture of a system. Different approaches, including vulnerability graphs and various vulnerability metrics, have been used to study the vulnerability landscape and provide security analysts with cyber situational awareness. However, most current solutions still lack a principled approach to quantifying various dimensions of known vulnerabilities in a way that can easily adapt to different applicative domains and operating conditions. To address this limitation, we introduce a vulnerability metrics framework that extends and generalizes our previous metrics for evaluating the exploitation likelihood of a vulnerability and the exposure factor of system components to vulnerability exploits. We argue that the factors influencing these metrics and their relative weights depend on the specific applicative domain, defender’s priorities, and attacker’s knowledge. Thus, instead of providing a static set of equations, we establish a framework for instantiating the equations that best model the scenario being considered. We combine likelihood and exposure factor metrics into a severity score that allows us to rank vulnerabilities. In our evaluation, we demonstrate that ranking vulnerabilities solely based on their CVSS scores is not sufficient for effective prioritization, due to the limited number of possible distinct severity values compared to the sheer number of existing vulnerabilities. We define a ranking quality score and show that considering additional information about vulnerabilities helps refine their ranking, providing more actionable intelligence to security analysts.